2

I set up Thunderbird to use PGP a while ago, so I can sign and decrypt messages now. But I have forgotten my private passphrase for my private key, but since Thunderbird can do it anyway, it has it stored somewhere. How can I get it?

I already know that the password, with which encrypted-openpgp-passphrase.txt – the file that actually has my forgotten passphrase – is encrypted, is stored in key4.db, but I were unable to figure it out by reading key4.db – both with a SQLite browser and with cat. The program firefox-decrypt is not helpful since it only gives me the login credentials for my e-mail-server.

Ernest Bredar
  • 77
  • 1
  • 7
  • https://support.mozilla.org/en-US/questions/1304363#answer-1349828 this might be helpful to clear up a few concepts on how Thunderbird stores PGP keys and passphrases – René Roth Jul 03 '21 at 19:57
  • @RenéRoth I already read this answer, but it wasn't of any use, since it doesn't describe how to get the password out of `key4.db`, just that it is in there. – Ernest Bredar Jul 03 '21 at 20:01
  • 1
    TB-78 handles PGP in a manner I disagree with and have dumped it in favor of *Interlink*. One of the things that TB-78 does is **discard your original passphrase** in favor of a new random password TB-78 generates. In turn the new password is protected by the TB master password, if you use one otherwise it's stored in the clear. As far as I know, your original passphrase is gone forever but even if you found it, it no longer has a use. – user10216038 Jul 04 '21 at 17:39
  • That doesn't sound realistic, but even if this is true, my question wasn't "why doesn't my password work anymore", but "how do I get the password out of TB", and this is still answerable even if TB changed it. – Ernest Bredar Jul 05 '21 at 15:48
  • 2
    Let me backup to some fundamentals. Your PGP *passphrase* was used to decrypt the underlying **Key**. Your original *passphrase* is gone! Your **new passphrase** is the **TB Master password**. The **Key** is in *key4.db*. If you did not use a TB *Master Password* the **Key** is in the clear. If you did use a *Master Password*, the **Key** is protected by the low grade standard Mozillia encryption algorithm. There are numerous tools available to process this algorithm if you are trying to extract the **Key**, you already know the **passphrase**. – user10216038 Jul 05 '21 at 18:01
  • @user10216038 I tried to use a empty passphrase with gpg but it didn't work since it expects at least one character. What is my passphrase and what are these tools you mentioned? – Ernest Bredar Jul 06 '21 at 11:52
  • 1
    One of the Thunderbird developers said: *"If you have the private key in Thunderbird, then you can use Thunderbird Key Manager to create a backup of your private key. Once you have the OpenPGP key manager open, select the key you need, then use the file menu and create a backup of that key. You will be asked to protect the exported key with a password that will be created. Once you are done creating the file, use your other software to import it, and enter the same password to unlock it."* – user10216038 Jul 28 '21 at 17:54

2 Answers2

2

This is a preliminary answer. If you want to know Thunderbird's generated passphrase, it is indeed a 32-char hex string encrypted in encrypted-openpgp-passphrase.txt. You can decipher it using firepwd code:

pp = decodeLoginData(<encrypted passphrase>)
assert pp[0] == CKA_ID
iv = pp[1]
ciphertext = pp[2]
passphrase = unpad( DES3.new( key, DES3.MODE_CBC, iv).decrypt(ciphertext),8 )

Append this at the end of firepwd.py then do python firepwd.py -d ~/.thunderbird/<your profile>.

But this passphrase won't work on GnuPG. If you backup your secret key, the passphrase won't work as well on GnuPG. Because the OpenPGP implementations of RNP (used by Thunderbird) and GnuPG are different. I managed to decrypt a mail using RNP, using the passphrase of the backup secret key.

(I am currently investigating why it does not work. It may be a matter of GNOME keyring cache.)

  • Just a note - RNP is not a Mozilla's product, it just was picked by Thunderbird team to be used as an OpenPGP backend instead of Enigmail. The seconds thing - is your keypair EdDSA/X25519? – Nickolay Olshevsky Sep 17 '21 at 08:58
  • Thanks for contributing to RNP! It was really easy to use. Indeed my keypair is Ed25519. – Jill-Jênn Vie Sep 25 '21 at 05:56
  • Then indeed it is known issue of RNP with Curve25519 secret key, which would be fixed soon via https://github.com/rnpgp/rnp/pull/1633 – Nickolay Olshevsky Sep 27 '21 at 09:19
-1

What OS are we talking about? If it's Ubuntu Linux, have you tried the following:

  1. Install pip and gnome-keyring: apt-get install python-pip python-gnomekeyring
  2. Clone or install the following repo: https://github.com/kparal/gkeyring
    • sudo pip install --upgrade --user gkeyring
  3. Now search in the dash (click Ubuntu logo) for "Passwords and Keys" application (this is Seahorse).
  4. Under the subsection called "Passwords" click the item "Login". You should see your PGP key with a lock.
  5. Right-click, select Properties. Then copy the Description field (CTRL-C).
  6. Now in the terminal, type: $ ./gkeyring --name "..."
    • Keep the quotes, and paste that description where the ... is. It should look something like: $ ./gkeyring --name "PGP Key: John Smith <***@smith.com>"
  7. When you press enter it will display your password
schroeder
  • 123,438
  • 55
  • 284
  • 319
Gn0m3
  • 19
  • 1
  • Thank you for trying to help me, but it didn't work. gkeyring only gives me the password for my nextcloud installation, not for my private key. (I use Debian by the way.) – Ernest Bredar Jul 14 '21 at 14:54